Topic: Default permissions for SME files

[Allan Pritchard]

Hi All

We have had an on ging issue in our office where file permissions are being set to user:user for some files/folders instead of owner:group so only that person can ever access that file/folder. I'm trying to research if anyone else is having this issue. However........

I the mean time one of our young guys in our office thought he would be smart and to a chown -R root:group * on the folder in the ibay to reset all of the permissions on all of the files.

Somehow he manged to do this at / so all of the server config files were set to root:staff (staff being the group) my question is, is there a way of resetting these to their defaults? most files are root:root but some are obviously not such as radbd is root:radiusd. Or is there at least a list of permissions somewhere to manually go through and set correctly ?

Any help would be appreciated (and yes the person in question has been told not to access the server console anymore)

Cheers
Allan

[Allan Pritchard]

Following on from my post

We have both an onsite and offsite Affa back-up. The onsite backup is about to run and the offsite runs tonight.

My current thinking is to "Rise" the onsite server tomorrow morning - the file permissions for Ibays are easy to correct (if wrong) and the others under /home/e-smith/... are relatively straight forward and I have corrected most today if they get transferred in the backup.

The issue today has been email, no emails in or out. one thing we noted is we could not log onto server-admin, it came up with incorrect user or password. I'm relatively confident that the rise option will only carry over data but the bulk of the server files will be fresh SME server 9.1 files with the correct permissions. Is there anything under /home/e-smith or /etc or /root that I should be careful of from the affa backup?

before I go and do this is there any options I can try when booting from the install media to reinstall the SME system but preserve /home/e-smith

And I do apologise if these are dumb questions this is a little out of my depth

Cheers
Allan               
-

[Daniel B.]

You could try this https://wiki.contribs.org/Useful_Commands#Restore_all_permissions_and_ownership
It'll restore permissions on every file and folder which belongs to an RPM

[Allan Pritchard]

Hi Daniel

Thanks, I read that one today also but was unsure if the base files of SME counted when it says "all permissions and right ownership of rpms"  I read it as installed rpms over the base files. Did I read that wrong ? I guess its not actually going to cause more issues if I try after the last backup of today.

Cheers
Allan

[Jean-Philippe Pialasse]

Actually even base files are either the result of (1) rpm installation or (2) template generation or (3)create by a service.

the procedure pointed by Daniel should do for (1). A signal-event post-upgrade; signal-event reboot  should do for (2) and some of the (3).
You might afterward have some files related to (3) leading to some errors you could catch watching the logs.
I think as example spamassassin learning files or clamav db files.

At the end this will leaves to you only the user created files, which should mostly be somewhere under /home/e-smith/

[Jean-Philippe Pialasse]

I the mean time one of our young guys in our office thought he would be smart and to a chown -R root:group * on the folder in the ibay to reset all of the permissions on all of the files.

Somehow he manged to do this at / so all of the server config files were set to root:staff

that's why we should never do this from root of filesystem (/) or from a non direct parent directory:

Code: [Select]

cd /home/e-smith/files/ibays/myibay/and when using recursive option I also suggest to add it at the end

Code: [Select]

chown root:group html -Rthis tends to limit the mess if you hit enter before the end of the path you intended.

[Allan Pritchard]

cheers

I had left specific instructions that once he logged in he had to navigate to the /ibay/files/{path to folder} before he could do anything
unfortunately he decided to try a few things out to speed up the process and got it very wrong. I guess we all learn by mistakes.

[Allan Pritchard]

I've run both command scripts suggested by Daniel

Everything seems to be up and going, emails coming through. Cheers, I was a bit nervous running these without some advice

I'll look through the logs tomorrow and manually correct anything that pops up

Thanks for all of your help.

Cheers
Allan

[Stefano]

happy to know that everything is up&running again..

time to change root's password and keep it secret, isn't it?